a238bd522702802eb2a2b71b4b00a1a1553b1c2fff0d8b9e50b13e999cabbdf3

General

Target

YoudaoDict.exe
Size

6.8MB
MD5

ff3d9c5dcde804a90e862de9c1d32a8c
SHA1

04b0da40346d661a11e9e899daec104ee77c6606
SHA256

a238bd522702802eb2a2b71b4b00a1a1553b1c2fff0d8b9e50b13e999cabbdf3
SHA512

288e716dd70bedd1cebdc7582f44d969050de9ffe387ae0b9363937fc41b62eedb1faba1fd0cead9a05ba96a880df4d00727e60cde2606a16849e8a5cf266ac3
SSDEEP

12288:IPvAXg30gk3yrkb+/nCSnilwUOSFaoAiTI2MHPwrQKUs6:IgpbOROQ3s6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

RG0M.exe

pid process

2796 RG0M.exe
Loads dropped DLL 5 IoCs

Processes:

YoudaoDict.exeWerFault.exe

pid process

2232 YoudaoDict.exe
2232 YoudaoDict.exe
356 WerFault.exe
356 WerFault.exe
356 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

356 2796 WerFault.exe RG0M.exe

pid	process
2796	RG0M.exe

pid	process
2232	YoudaoDict.exe
2232	YoudaoDict.exe
356	WerFault.exe
356	WerFault.exe
356	WerFault.exe

pid	pid_target	process	target process
356	2796	WerFault.exe	RG0M.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

YoudaoDict.exeRG0M.exe

description	pid	process	target process
PID 2232 wrote to memory of 2796	2232	YoudaoDict.exe	RG0M.exe
PID 2232 wrote to memory of 2796	2232	YoudaoDict.exe	RG0M.exe
PID 2232 wrote to memory of 2796	2232	YoudaoDict.exe	RG0M.exe
PID 2232 wrote to memory of 2796	2232	YoudaoDict.exe	RG0M.exe
PID 2796 wrote to memory of 356	2796	RG0M.exe	WerFault.exe
PID 2796 wrote to memory of 356	2796	RG0M.exe	WerFault.exe
PID 2796 wrote to memory of 356	2796	RG0M.exe	WerFault.exe
PID 2796 wrote to memory of 356	2796	RG0M.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\YoudaoDict.exe
"C:\Users\Admin\AppData\Local\Temp\YoudaoDict.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232

C:\ProgramData\RG0M.exe
"C:\ProgramData\RG0M.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 784
3⤵
- Loads dropped DLL
- Program crash
PID:356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RG0M.exe
Filesize
34KB

MD5
d9aada6f62494ca56bd25f2e85a7c83e

SHA1
edcae6515a4a7d0103dd9912619d0a5f1dff22a8

SHA256
c9ddd33829716a997aa469613c9c1e392dca7a69a1d6ba18f83715d6d478a003

SHA512
6ac7e580dbb27b9fbb9bbc4e641a94c7175e6e949af6063e0b9bae2a9ee8455d0444d69bf14b1c1df34216eb48a93d4eb2b6cfe53ecee6f375c06c7de74720b7

Download Submit
C:\ProgramData\RG0M.exe
Filesize
94KB

MD5
1cb577533af5685407291ca4514fbb5f

SHA1
9350fe02453ef3269c051d304bae5bebb3598434

SHA256
48b37ca4f70341edb22e893b2749f5d88adbfe996d8232173d98bb45e0b79a84

SHA512
bb6791cea87e59f700e72b096d79bef4165f6fe541f3041fee060112f340673daeb71381dbd5064418601c2b8f631493eca948edd6909cf75e36193d58cc6666

Download Submit
\ProgramData\RG0M.exe
Filesize
15KB

MD5
60c4687ad823974e94427443f9212fc1

SHA1
d5b8c6735695ccfb62b37156019919f0db35d710

SHA256
120282a97edd29ba7eb45bba23b275efa5f1d61da58bce0d8af5aed4d99f40af

SHA512
79bbc68c45bdb97f72c3878c9d150a0e10f1c23a2c8b8eec9c43f8e7b76fe480b75f3078a12e3cc70f77fca854f9079ec8967b7f13a424613f4e91fb64cb4555

Download Submit
\ProgramData\RG0M.exe
Filesize
29KB

MD5
24dc26c3bc1d3ccbef8487dd8bc1d53d

SHA1
f67f087575f0fa2de379bd643943eac410bb16e0

SHA256
d8eb58a5059325a6db2d4219e65a0f2d91002f243545f358d2df04c8959f9a35

SHA512
5a93f567f37e0dbbe1a1fb4bc915a3f8f452202f6c5e1959393706fb303854935aa8b243a482879c712d900a67437e2744e91ab72942b3a4a404fa22607652a7

Download Submit
\ProgramData\RG0M.exe
Filesize
20KB

MD5
d32241e185378cee962bb408e6072aa9

SHA1
532a85fef3358404c0010633b4c9987379930e20

SHA256
bee1f1ee47cd0ed48b651dcb98301eabdb11f6f9784a922aec5bfeba62ed7b07

SHA512
847bbeb1200fb339029857b412e583a210f72e437eed3973a90ec485adc769f8a4d39cc04230fe25e7f3161fcaa5aca659cabf31259e6a025763c61529bb9386

Download Submit
\ProgramData\RG0M.exe
Filesize
85KB

MD5
f8e1c0cfc43c820171eac3c65e51968f

SHA1
aecd7b90e5562ec036b648343ae8f06cb490721d

SHA256
4d114343854f08cfac300c9a75aad4359cc55b4a938547c1dd5c985c76f5924c

SHA512
4feea233634e8957f8aa8875b3e4b0f41083ebb09bb6d562adafa52baf1ff8b21b98ad16c4faec8514349a8b9c29cfa08305ccfc88f845a9bf17075adb8c3300

Download Submit
\ProgramData\RG0M.exe
Filesize
72KB

MD5
41a20819cced59e5867642b663142e15

SHA1
59a0176987fa35a4fcee8a52e69720cdf378d1b2

SHA256
57174468e003f5c21adb949f2414f31fcf537f9655e01010a56ab08afcd15572

SHA512
080043db9ac27566f885ba8b5e108e914339b4c02d0f909edec78033ce68213a7abc15a116d2a451d2461d9a1852c1992b859692cd426fc06eb466b8ba60d482

Download Submit
memory/2232-1-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-0-0x0000000000F00000-0x0000000000F88000-memory.dmp

Filesize
544KB

Download
memory/2232-13-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-10-0x0000000002390000-0x00000000023CD000-memory.dmp

Filesize
244KB

Download
memory/2796-12-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing